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DETAILED ACTION 

1 . This Office Action is in response to the amendment filed 6/22/06. Claims 1-20 
are currently pending in the application. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1-4, 7-8, 10, and 15-20 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Adrangi et al. (U.S. Application 10/323486) in view of Liu et al. (U.S. 
Publication US 2004/0120295 At). 

With respect to claim 1, Adrangi et al. discloses a system for providing secure 
mobile connectivity that implements Mobile IP Home Agent functionality via distributed 
components (See the abstract of Adrangi et al. for reference to a system providing 
secure mobile roaming using distributed components). Adrangi et al. also 
discloses a mobile node belonging to a home network located within a secure network 
with the mobile node having a network interface configured to communicate with other 
nodes (See page 2 paragraphs 20-22 and Figure 3 of Adrangi et al. for reference to 
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a mobile node 140 having an interface to communicate with other nodes 
belonging to corporate intranet 100, which is a home network for mobile node 140 
and is also a secure network). Adrangi et al. further discloses that the mobile node 
has only one security association and one mobility binding with a Home Agent for the 
Mobile IP Home Agent functionality (See page 3 paragraphs 23-28 and Figures 3-4 of 
Adrangi et al. for reference to a mobile node creating a single security 
association, an IPSec tunnel, with a VPN 225 and for reference to a mobile node 
having one mobility bind, the care-of address COAx, which is the mobile node's 
address on the external network). Adrangi et al. also discloses a Proxy Home Agent 
connected to the home network and located within the secure network wherein the PHA 
is configured to provide a proxying functionality (See page 2 paragraph 20, page 3 
paragraph 28, and Figures 3-5 of Adrangi et al. for reference to home agent 300, 
which is a Proxy Home Agent providing Mobile IP Home Agent functionality, 
located within the corporate intranet 100, and for reference to home agent 300 
performing a proxy functionality by determining that a mobile node is not in its 
home location and forwarding the packet to the VPN gateway 225 based on this 
determination). Adrangi et al. further discloses a Home Agent located outside of the 
secure network wherein the HA is configured to provide a signaling and tunneling 
functionality (See page 2 paragraph 20, page 3 paragraph 38 and Figures 3-5 of 
Adrangi et al. for reference to home agent 305, which provides Mobile IP Home 
Agent functionality, located outside the corporate intranet 100 and for reference 
to home agent 305 providing a signaling and tunneling functionality by tunneling 
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packets to a mobile node 140 based on the care-of address, COAx, of the mobile 
node). Adrangi et al. also discloses a VPN located outside the secure network and 
configured to work in conjunction with the HA (See page 2 paragraph 20 and Figure 3 
of Adrangi et al. for reference to VPN gateway 225 located outside the corporate 
intranet 100 and configured to work with the home agent 305). Adrangi et al. does 
not disclose that the HA is configured to notify the PHA of the mobile node. 

With respect to claim 15, Adrangi et al. discloses a method for secure 
communication (See the abstract of Adrangi et al. for reference to a method 
providing secure mobile roaming). Adrangi et al. also discloses a mobile node 
associated with a home network in a secure network and a corresponding node (See 
page 2 paragraphs 20-22 and Figure 3 of Adrangi et al. for reference to a mobile 
node 140 having an interface to communicate with other nodes, including CN 310, 
belonging to corporate intranet 100, which is a home network for mobile node 140 
and is also a secure network). Adrangi et al. further discloses establishing a Proxy 
Home Agent located within the secure network to monitor data directed to the mobile 
node (See page 2 paragraph 20 and Figure 3 of Adrangi et al. for reference to 
home agent 300, which is a Proxy Home Agent providing Mobile IP Home Agent 
functionality, located within the corporate intranet 100). Adrangi et al. also 
discloses establishing a Home Agent configured to create a security association with 
the mobile node (See page 2 paragraph 20 and Figure 3 of Adrangi et al. for 
reference to home agent 305, which provides Mobile IP Home Agent functionality, 
located outside the corporate intranet 100). Adrangi et al. further discloses collecting 
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data directed to the mobile node (See page 2 paragraph 20 to page 3 paragraph 25 
of Adrangi et al. for reference to both home agent 300 and home agent 305 being 
used to collect and route data directed to the mobile node 140). Adrangi et al. also 
discloses packaging the collected data in a VPN secure tunnel to an internal address of 
the mobile node to create VPN packaged data and tunneling the VPN packaged data to 
a current address of the mobile node (See page 3 paragraphs 26-28 and Figure 4 of 
Adrangi et al. for reference to using a VPN gateway 225 to package data in a 
secure VPN tunnel to an internal address of the mobile node 140 and tunneling 
the data to a care of address of the mobile node 140). Adrangi et al. does not 
disclose that the HA is configured to notify the PHA of the mobile node. 

With respect to claim 19, Adrangi et al. discloses a system for secure mobile 
connectivity that implements Mobile IP Home Agent functionality via distributed 
components (See the abstract of Adrangi et al. for reference to a system providing 
secure mobile roaming using distributed components). Adrangi etal. also 
discloses a means for establishing a Proxy Home Agent located within the secure 
network to monitor data directed to the mobile node (See page 2 paragraph 20 and 
Figure 3 of Adrangi et al. for reference to home agent 300, which is a Proxy Home 
Agent providing Mobile IP Home Agent functionality, located within corporate 
intranet 100, which is a secure network). Adrangi et al. further discloses a means for 
establishing a Home Agent configured to create a security association with the mobile 
node (See page 2 paragraph 20 and Figure 3 of Adrangi et al. for reference to 
home agent 305, which provides Mobile IP Home Agent functionality, located 
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outside the corporate intranet 100). Adrangi et al. also discloses a means for 
collecting data directed to the mobile node (See page 2 paragraph 20 to page 3 
paragraph 25 of Adrangi et al. for reference to both home agent 300 and home 
agent 305 being used to collect and route data directed to the mobile node 140). 
Adrangi et al. further discloses a means for packaging the collected data in a VPN 
secure tunnel to an internal address of the mobile node to create VPN packaged data 
and a means for tunneling the VPN packaged data to a current address of the mobile 
node (See page 3 paragraphs 26-28 and Figure 4 of Adrangi et al. for reference to 
using a VPN gateway 225 to package data in a secure VPN tunnel to an internal 
address of the mobile node 140 and tunneling the data to a care of address of the 
mobile node 140). Adrangi et al. also discloses a means for the Home Agent to 
communicate to the PHA that the mobile node has either moved outside its home 
network or has come back to its home network (See pages 2-3 paragraphs 20-25 of 
Adrangi et al. for reference to the home agents 300 and 305 updating the current 
location of the mobile node 140 by storing a current care of address of the mobile 
node that indicates the location of the node). Adrangi et al. further discloses a 
means for enabling the PHA to create and remove a proxy ARP entry for a permanent 
address associated with the mobile node (See page 3 paragraph 25 of Adrangi et al. 
for reference to home agent 300 creating and removing care of address entries, 
which are proxy ARP entries for a permanent address associated with the mobile 
node 140). Adrangi et al. does not disclose that the HA is configured to notify the PHA 
of the mobile node. 
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With respect to claims 1, 15, and 19, Liu et al. ('295), in the field of 
communications, discloses a home agent that notifies a proxy home agent of a mobile 
node (See page 3 paragraphs 34-35 and Figure 1 A of Liu et al. ('295) for reference 
to a mobile connectivity system 100 that includes a mobile node 120, an MIP 
proxy 102, which acts as a home agent, and a home agent 112, which acts as a 
proxy home agent, and for reference to the MIP proxy 102 sending a registration 
request, which is a notification of the mobile node 120, on behalf of the mobile 
node 120 to the home agent 112). Having the HA configured to notify the PHA of the 
mobile node has the advantage of allowing a mobile node to roam from network to 
network without requiring the mobile node to set up a new security binding each time 
the mobile node changes networks (See page 5 paragraph 53 of Liu et al. ('295) for 
reference to this advantage as well as other advantages). 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention, when presented with the work of Liu et al. ('295), to combine having the HA 
configured to notify the PHA of the mobile node, as suggested by Liu et al. ('295), with 
the system and method of Adrangi et al., with the motivation being to allow a mobile 
node to roam from network to network without requiring the mobile node to set up a new 
security binding each time the mobile node changes networks. 

With respect to claim 2, Adrangi et al. discloses that the VPN gateway and the 
HA are located within a single device within a DMZ (See page 2 paragraph 20 and 
Figure 3 of Adrangi et al. for reference to home agent 305 and VPN gateway 225 
being located on a single processing device within a corporate DMZ 210). 
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With respect to claim 3, Adrangi et al. discloses a firewall coupled to the secure 
network and the VPN gateway (See page 2 paragraph 20 and Figure 3 of Adrangi et 
al. for reference to inner firewall 15 and outer firewall 20 being couple to the 
corporate intranet 100 and the VPN gateway 225). 

With respect to claim 4, Adrangi et al. discloses that the HA is a separate 
devices from the VPN gateway (See page 2 paragraph 20 and Figure 3 of Adrangi et 
al. for reference to the home agent 305 being implemented on an independent 
processing device within corporate DMZ 210, meaning the home agent 305 is a 
separate device from VPN gateway 225). 

With respect to claim 7, Adrangi et al. discloses a DMZ comprising a first router 
coupled to a second router that is coupled to the firewall with the VPN gateway couple 
to the first router and the firewall and the HA coupled to the router (See page 2 
paragraph 20 of Adrangi et al. for reference to VPN gateway 225, which acts as a 
first router by routing packets, for reference to the VPN gateway 225 being 
coupled to the home agent 305, which acts as a second router by routing packets, 
and for reference to the VPN gateway 225 and the home agent 305 being coupled 
to firewalls 15 and 20). 

With respect to claim 8, Adrangi et al. discloses that packets from the MN 
destined towards nodes inside the secure network first go to the HA and then to the 
VPN gateway that is configured to forward the packets through the firewall to the secure 
network (See page 3 paragraph 27 and Figure 4 of Adrangi et al. for reference to 
packets sent from MN 140 to CN 310, which is a node inside of the corporate 
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network 100, being first sent to home agent 305 and then to VPN gateway 225, 
which sends the packets through the firewall to CN 310). 

With respect to claim 10, Adrangi et al. discloses that a router is directly 
connected to a firewall and the VPN gateway and the HA are connected to a different 
interface of the router and the firewall (See page 2 paragraph 20, page 3 paragraph 
28, page 4 paragraph 32 and Figure 3 of Adrangi et al. for reference to home 
agents 305 and 300 both acting as routers to route packets between networks and 
for reference to VPN gateway 225 being connected to an inner firewall 15 and an 
outer firewall 20 and for reference to the VPN gateway 225 and the home agent 
305 being separate devices meaning that their connections to the firewalls 15 and 
20 are through separate interfaces). 

With respect to claim 16, Adrangi et al. discloses that the VPN secure tunnel 
follows the IP security protocol (See page 2 paragraph 22 of Adrangi et al. for 
reference to using IPSec protocol). 

With respect to claim 17, Adrangi et al. discloses that the tunneling of the VPN 
packaged data to the external mobile node occurs according to the IP mobility protocol 
(See page 1 paragraph 3 of Adrangi et al. for reference to using mobile IP 
standards). 

With respect to claim 18, Adrangi et al. discloses packaging the collected data 
in an IP-in-IP tunnel and sending it to a VPN device for VPN encryption and tunneling 
the VPN packaged data to the current address of the mobile node (See page 4 
paragraph 29 and Figure 6 of Adrangi et al. for reference to packaging the data in 



Application/Control Number: 10/603,916 Page 10 

Art Unit: 2616 

an IP-in-IP tunnel and sending it to a VPN gateway 225 for VPN encryption before 
sending the packet to the care of address of the mobile node). 

With respect to claim 20, Adrangi et al. discloses a computer software product 
comprising instruction that cause an electronic device to perform the actions of Claim 15 
(See page 4 paragraphs 33-34 of Adrangi et al. for reference to the devices of the 
system of Adrangi et al. being embodied as data processing devices including 
software comprising instructions that the devices of the system use to perform 
the method of Adrangi et a I.). 

4. Claims 5, 9, and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Adrangi et al. in view of Liu et al. ('295) and in further view of Liu et al. (U.S. 
Publication US 2003/0212900 A1). 

With respect to claim 5, Adrangi et al. discloses a DMZ located outside the 
secure network wherein the VPN gateway and the HA reside in the DMZ (See page 2 
paragraph 20 and Figure 3 of Adrangi et al. for reference to corporate DMZ 210 
that is located outside the secure network and includes the VPN gateway 225 and 
home agent 305). Adrangi et al. also discloses a first firewall between the secure 
network and the DMZ and a second firewall between the DMZ and an external network 
(See page 2 paragraph 20 and Figure 3 of Adrangi et al. for reference to inner 
firewall 15, which is a first firewall located between the corporate intranet 100 and 
the DMZ 210, and for reference to outer firewall 20, which is a second firewall 
located between the DMZ 210 and an external network 205). Adrangi et al. also 
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discloses that the mobile node has a permanent address in a known range (See page 1 
paragraph 12 of Adrangi et al. for reference to a mobile node 140 having a 
permanent address that all data directed towards the mobile node is addressed to 
and for reference to a home agent intercepting and rerouting data to a care of 
address of the mobile node when the mobile node has exited its home network). 
The combination of Adrangi et al. and Liu et al. ('295) does not specifically disclose that 
the firewall is configured to deny communications from the external network with a 
source address in a known range. 

With respect to claim 9, the combination of Adrangi et al. and Liu et al. ('295) 
does not disclose a firewall dropping packets having a source address in a known 
range. 

With respect to claim 14, Adrangi et al. discloses a firewall coupled to the 
secure network and the VPN gateway (See page 2 paragraph 20 of Adrangi et al. for 
reference to inner firewall 15 coupled to both the corporate intranet 100 and the 
VPN gateway 225). The combination of Adrangi et al. and Liu et al. ('295) does not 
disclose dropping packets having a source address in a known range. 

With respect to claims 5, 9, and 14, Liu et al. ('900), in the field of 
communications, discloses a firewall dropping packets having a source address in a 
known range (See page 2 paragraph 19 of Liu et al. for reference to maintaining an 
ALC table 104 that is used to store address and ranges of address and a field 
indicating that the address or range of address should be dropped by a firewall). 
Using a firewall that drops packets having a source address in a known range has the 
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advantage of allowing better control of the packets that are allowed to enter a secure 
network to protect against malicious packets. 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention, when presented with the work of Liu et al. ('900), to combine using a firewall 
that drops packets having a source address in a known range, as suggested by Liu et 
al. ('900), with the system and method of Adrangi et al. and Liu et al. ('295), with the 
motivation being to allow better control of the packets that are allowed to enter a secure 
network to protect against malicious packets. 

5. Claims 6 and 11-13 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over Adrangi et al. in view of Liu et al. ('295) and Liu et al. ('900) as applied to claims 5, 
9, and 14 above, and further in view of Mikkonen (U.S. Application 10/185714). 

With respect to claim 6, Adrangi et al. discloses a DMZ located outside the 
secure network wherein the VPN gateway and the HA reside in the DMZ (See page 2 
paragraph 20 and Figure 3 of Adrangi et al. for reference to corporate DMZ 210 
that is located outside the secure network and includes the VPN gateway 225 and 
home agent 305). Adrangi et al. also discloses a first firewall between the secure 
network and the DMZ and a second firewall between the DMZ and an external network 
(See page 2 paragraph 20 and Figure 3 of Adrangi et al. for reference to inner 
firewall 15, which is a first firewall located between the corporate intranet 100 and 
the DMZ 210, and for reference to outer firewall 20, which is a second firewall 
located between the DMZ 210 and an external network 205). Adrangi et al. further 
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discloses that the mobile node has a permanent address in a known range (See page 1 
paragraph 12 of Adrangi et al. for reference to a mobile node 140 having a 
permanent address that all data directed towards the mobile node is addressed to 
and for reference to a home agent intercepting and rerouting data to a care of 
address of the mobile node when the mobile node has exited its home network). 
Liu et al. ('900) discloses a firewall dropping packets having a source address in a 
known range (See page 2 paragraph 19 of Liu et al. for reference to maintaining an 
ALC table 104 that is used to store address and ranges of address and a field 
indicating that the address or range of address should be dropped by a firewall). 
The combination of Adrangi et al., Liu et al. ('900), and Liu et al. ('295) does not disclose 
that the VPN gateway has a direct connection to an internal interface of the first firewall. 

With respect to claim 11, Liu et al. ('900) discloses a firewall dropping packets 
having a source address in a known range (See page 2 paragraph 19 of Liu et al. for 
reference to maintaining an ALC table 104 that is used to store address and 
ranges of address and a field indicating that the address or range of address 
should be dropped by a firewall). The combination of Adrangi et al., Liu et al. ('900), 
and Liu et al. ('295) does not disclose that the VPN gateway has a direct connection to 
an internal interface of the first firewall. 

With respect to claims 6 and 11, Mikkonen, in the field of communications, 
discloses a firewall with an internal interface to a VPN gateway (See page 2 paragraph 
18 of Mikkonen for reference to a firewall 100 that also is used to operate as a 
VPN gateway meaning that since the firewall and gateway functions are 
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performed in the same device, that they must have an internal interface with each 
other). Using a firewall with an internal connection to a VPN gateway has the 
advantage of allowing the operation of the firewall and VPN gateway to be better 
integrated so that secure packets received by the VPN gateway can be better filtered by 
the firewall. 

It would have been obvious for one of ordinary skill in the art at the time of the 
invention, when presented with the work of Mikkonen, to combine using a firewall with 
an internal interface to a VPN gateway, as suggested by Mikkonen, with the system and 
method of Adrangi et al., Liu et al. ('900), and Liu et al. ('295), with the motivation being 
to allow the operation of the firewall and VPN gateway to be better integrated so that 
secure packets received by the VPN gateway can be better filtered by the firewall. 

With respect to claim 12, Liu et al. ('900) discloses forwarding and decrypting 
packets, or otherwise dropping packets, according to a security association that exists 
(See page 2 paragraph 19 of Liu et al. for reference to using a table 104 to decide 
which packets to forward and which packets to drop according to a security 
payload index). 

With respect to claim 13, Adrangi et al. discloses that packets from the MN 
destined towards nodes inside the secure network first go to the HA and then to the 
VPN gateway that is configured to forward the packets through the firewall to the secure 
network (See page 3 paragraph 27 and Figure 4 of Adrangi et al. for reference to 
packets sent from MN 140 to CN 310, which is a node inside of the corporate 
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network 100, being first sent to home agent 305 and then to VPN gateway 225, 
which sends the packets through the firewall to CN 310). 

Response to Arguments 

6. Applicant's arguments filed 6/22/06 have been fully considered but they are not 

persuasive. 

In response to Applicant's argument that: 

"Liu '295 does not disclose "sending a registration request, which is a 
notification of the mobile node 120, on behalf of the mobile node 120 to 
the home agent 112," as the Office Action suggests." (See Applicant's 
Remarks section) 

the Examiner respectfully disagrees. First, Liu et al. ('295) does state that the home 
agent 112 receives a registration request from MIP proxy 102 as maintained in the 
rejections above (See page 3 paragraph 34 of Liu et al. ('295) for reference to a home 
agent binding a MIP proxy address as a care-of address for the VPN gateway 104 after 
receiving a registration request from the MIP proxy 102). Liu et al. ('295) discloses that 
the MIP proxy 102 receives a registration request from a mobile node 120 and then 
forwards this registration request on behalf of the mobile node 120 to the home agent 
112 (See page 3 paragraphs 33-34 of Liu et al. ('295)). Also, the registration request 
sent from the MIP proxy to the home agent is a notification of the mobile node, as 
claimed, because the registration is used to notify the home agent of the current care-of 
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address to use in order to forward packets to the mobile node. Therefore, Liu et al. 
('295) does disclose a "HA configured... to notify the PHA of the mobile node" as 
claimed. 

Conclusion 

7. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jason E. Mattis whose telephone number is (571) 272- 
3154. The examiner can normally be reached on M-F 8AM-5:30PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Huy Vu can be reached on (571) 272-3155. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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